Bizarrely, when I clicked on the link, I was redirected to a page of pornography at http://youdon’treallywanttoseeit.com. I immediately hit the back button.

Even stranger, when I re-clicked the link in the SERPs, I was taken to your page correctly. I am not terribly educated on the awful topic of hacking, and I’ve never encountered any information about something that could intermittently do malicious re-directs, but I wanted to let you know about this ASAP. I haven’t ever seen something like this happen before, but hopefully, your team can figure out if your site has been compromised in some way. So sorry about this. It’s awful.

Miriam

My immediate second thought was that my down home farmland wp theme that Mike Ramsey loves so much had been hacked. When Linda Buquet and Brandon Monchamp contacted me with similar stories I was convinced of it. However none of the external malware test tools from Google or Sucuri could find anything.

I contacted Sucuri (who does a great job of site security by the way) and learned that the reality was worse. The cPanel server hosting my site had fallen victim to a new Apache kernel hack: Linux/Cdorked:

In fact, Linux/Cdorked.A is one of the most sophisticated Apache backdoors we have seen so far. Although we are still processing the data, our Livegrid system reports hundreds of compromised servers. The backdoor leaves no traces of compromised hosts on the hard drive other than its modified httpd binary, thereby complicating forensics analysis. All of the information related to the backdoor is stored in shared memory. The configuration is pushed by the attacker through obfuscated HTTP requests that aren’t logged in normal Apache logs. This means that no command and control information is stored anywhere on the system.

The only tell tale signs were the external reports of redirects to porn sites on Google searches. The symptoms that Miriam described are in fact diagnostic which is my reason for sharing them here. Forewarned is forearmed. Apparently this hack “exploits the fact that cPanel doesn’t use a packaging system to install Apache”.

Hopefully you will not suffer the same fate and if you do you will know what it was quicker than I. The servers were taken down last night for the patch and cleansed. Thanks to all that alerted me to issues.

Please consider leaving a comment as your input will help me (& everyone else) better understand and learn about local.

13 thoughts on “Linux/Cdorked: A Nasty New Apache Hack”

Mike – I had the same issue yesterday when clicking through to your site from Google Reader. I had opened a bunch of tabs on different sites through Reader and didn’t notice it until I went to read through them. At the time, I wasn’t positive that it was your site that did it, but now I’m sure that it was.

The redirect I told you about was from Reader as Eric experienced. Turns out it was the same porn site Miriam got from Google search. Then when I thought maybe it was something on my end and clicked the link again it was fine – just like with Miriam

I had a similar exploit at my other site about a year ago. They use cookies or something so the exploit will only launch on the 1st click. For me the redirect was limited to 1 click in 24 hours. So if you got the redirect and then tried to reproduce the problem to take a screen shot for your host, or make note of the URL or whatever, it would not redirect again. So that makes it harder to track down and makes you think, maybe it was just a fluke that one time, or maybe a bug in Google or whatever, because you can’t make it happen again. Dang hackers!

Same thing happend to Eric – happened to me yesterday when clicking from a My Yahoo feed to Mike’s site…then when I clicked the link again it came up fine…which led me to beleive it wasn’t Mike’s site and another of the 18 tabs I had open.

Mike
I wanted to let you know this happened to me today. It didn’t appear to be a porn site and i’m pretty sure it was a link I clicked on Linda’s site this morning. I thought it was odd but I just typed in your url and came over.